# PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector **[cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector](https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector)** Written By Cybereason Nocturnus April 30, 2021 | 7 minute read The [Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF](https://www.cybereason.com/blog/authors/cybereason-nocturnus) _[exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat actors such as Tick,](https://malpedia.caad.fkie.fraunhofer.de/actor/tick)_ [Tonto Team](https://malpedia.caad.fkie.fraunhofer.de/actor/tonto_team) [and TA428, all of which employ RoyalRoad regularly for spear-phishing in targeted attacks against high-value targets.](https://malpedia.caad.fkie.fraunhofer.de/actor/ta428) ----- e a a y g e y d sco e ed oya oad sa p es obse ed t e d, t e octu us ea detected o e t at ot o y e b ts anomalous characteristics, but also delivers PortDoor _malware, a previously undocumented backdoor assessed to have been developed by a_ threat actor likely operating on behalf of Chinese state-sponsored interests. [According to the phishing lure content examined, the target of the attack was a general director working at the Rubin Design Bureau, a](https://en.wikipedia.org/wiki/Rubin_Design_Bureau) Russian-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy. ### Key Findings **RoyalRoad Variants are Under Development: The variant of the RoyalRoad weaponizer examined altered its encoded payload from** the known “8.t” file to a new filename: “e.o”. More new variants are likely to be under development as well. **Previously Undocumented Backdoor: The newly discovered RoyalRoad RTF variant examined also drops a previously undocumented** and stealthy backdoor dubbed PortDoor which is designed with obfuscation and persistence in mind. **Highly Targeted Attack: The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian defense sector** designing submarines for the Russian Federation’s Navy. **Extensive Malware Capabilities: Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling,** delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more. **APT Group Operating on Behalf of Chinese State Interests: The accumulated evidence such as the infection vector, social** engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests. ### Analysis of the Spear-Phishing Attack: Intro to RoyalRoad [RoyalRoad is a tool that generates weaponized RTF documents that exploit the following vulnerabilities in Microsoft’s](https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper) [Equation Editor:](https://support.microsoft.com/en-us/office/equation-editor-6eac7d71-3c74-437b-80d3-c7dea24fdf3f) CVE2017-11882, [CVE-2018-0798 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0798) [CVE-2018-0802. RoyalRoad is used primarily by threat actors considered to be operating on behalf of](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0802) [Chinese state interests (e.g Tick,](https://malpedia.caad.fkie.fraunhofer.de/actor/tick) [Tonto Team,](https://malpedia.caad.fkie.fraunhofer.de/actor/tonto_team) [TA428,](https://malpedia.caad.fkie.fraunhofer.de/actor/ta428) [Goblin Panda,](https://malpedia.caad.fkie.fraunhofer.de/actor/hellsing) [Rancor).](https://malpedia.caad.fkie.fraunhofer.de/actor/rancor) RoyalRoad has rather consistent characteristics and most of the weaponized RTF documents usually drop an encoded file named “8.t”, which - once decoded - can deliver a variety of payloads for different threat actors. In this report, we discuss a deviation from the “classic” RoyalRoad characteristics. The dropped object name was changed from the very consistent “8.t” naming convention to the new “e.o” file name. ### Spear-Phishing Email Delivers RoyalRoad RTF The initial infection vector is a spear-phishing email addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design [Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg, a national research center that designs underwater](https://www.gidropribor.ru/en/) weapons like submarines: _Content of the spear-phishing e-mail_ ----- e e a attac e t s a a c ous docu e t eapo ed t a oya oad pay oad, t co te t desc b g a ge e a e o a [autonomous underwater vehicle:](https://en.wikipedia.org/wiki/Autonomous_underwater_vehicle) _Content of the weaponized RTF document_ The creation time of the RTF is timestomped to 2007, presumably to thwart investigation or detection efforts. [Timestomping is a known](https://attack.mitre.org/techniques/T1070/006/) [technique used by threat actors to try and remain under the radar:](https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite) _Historical RTF data from VirusTotal_ [Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder. This technique](https://support.microsoft.com/en-us/office/load-or-unload-a-template-or-add-in-program-2479fe53-f849-4394-88bb-2a6e2a39479d) is used by various actors to bypass detection of automatic execution persistence, since Word must be relaunched in order to trigger the add-in file, making the persistence mechanism less “noisy”. [Contrary to the common “8.t” file name observed in most RoyalRoad payloads, this new RoyalRoad variant uses “e.o” naming convention for](https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html) the temporary file payload, which is eventually written to MS Word startup folder as “winlog.wll”: _Weaponized RTF execution and dropped files on disk_ The malicious execution of the RTF file is detected by the [Cybereason Defense Platform:](https://www.cybereason.com/platform#graphic) ----- _Cybereason Detection of the PortDoor Backdoor_ ### PortDoor Backdoor Analysis The dropped payload, named “winlog.wll”, is a previously undocumented backdoor. Its main capabilities include: Gathering reconnaissance and profiling of the victim’s machine Receiving commands and downloading additional payloads from the C2 server Communicating with the C2 server using raw socket as well as HTTP over port 443 with proxy authentication support Privilege escalation and process manipulation Dynamic API resolving for static detection evasion One byte XOR encryption of sensitive data and configuration strings The collected information is AES-encrypted before it is sent to the C2 server ### Detailed Analysis The DLL itself has multiple export functions, going from DllEntry00 to DllEntry33. Most of these exports simply return sleep loops, a likely antianalysis measure. The main functionality resides within the DllEntry28 and DllEntry18: ----- _DLL exports of the PortDoor backdoor_ In order to get the configuration information, the backdoor first decrypts the strings using a hardcoded 0xfe XOR key: _Strings decryption routine_ The decrypted data includes the following configuration information: _The decrypted strings in memory_ **Decrypted string** **Purpose** 45.63.27[.]162 C2 address Kr*^j4 N/A B-JDUN Victim identifier 58097616.tmp Data file name written to %temp% 0987654321fedcba AES-CBC key It is worth noting that, during the analysis, the communication with the C2 was not successful and therefore some analysis information may be incomplete. Following the debugger presence check and the string decryption, the malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp”, and writes the GetTickCount value multiplied by a random number to it: ----- _Value written to the “58097616.tmp” file_ This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware. The malware then proceeds to attempt to establish a connection with the C2 which supports the transfer of data using TCP over raw sockets, or HTTPS using the CONNECT method. In addition the backdoor appears to be proxy-aware, distinguishing between two HTTP response types: “200” response and “407” (Proxy Authentication Required): _Hardcoded HTTP headers with proxy support_ [PortDoor also has the ability to achieve privilege escalation by applying the Access Token Theft technique to steal explorer.exe tokens and run](https://attack.mitre.org/techniques/T1134/001/) under a privileged security context: _Access token theft from explorer.exe_ Eventually, the malware awaits for further instructions from the C2 to continue its execution. This is done via the following switch case: ----- _Some of the switch case implemented methods_ For example, the get_pc_info() case gathers basic PC info to be sent to the C2, and the “B-JDUN” string is most likely being used as a unique identifier for the campaign/victim: _The information gathered on the infected PC_ Lastly, before sending the information to the C2 server the backdoor uses AES to encrypt the stolen PC information data: _AES encrypted information gathered on the PC_ The backdoor’s main C2 command functionality is summarized in the table below: **Case** **Action** 0x08 Get PC info, concat with the “B-JDUN" identifier 0x30 List running processes 0x31 Open process 0x41 Get free space in logical drives 0x42 Files enumeration 0x43 Delete file 0x44 Move file 0x45 Create process with a hidden window ----- 0x28 Open file for simultaneous operations 0x29 Write to file 0x2a Close handle 0x2b Open file and write directly to disk 0x01 Look for the “Kr*^j4” string 0x10 Create pipe, copy data from it and AES encrypt 0x11 Write data to file, append with “\n” 0x12 Write data to file, append with “exit\n” _C2 command functionality summarized_ Another anti-analysis technique observed being used by the PortDoor backdoor is dynamic API resolving. The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports: _Dynamic API resolving_ [The malicious execution of the PortDoor backdoor DLL is detected by the Cybereason Defense Platform:](https://www.cybereason.com/platform#graphic) _PortDoor Backdoor DLL as detected by Cybereason_ ### Attribution At the time of this analysis, there was not enough information available to attribute the newly discovered backdoor to a known threat actor with reasonable certainty. However, there are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed in this blog. [Based on previous work done by nao_sec, the Nocturnus Team was able to determine that the RTF file discussed in this blog was weaponized](https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html) with RoyalRoad v7, which bears the indicative “b0747746” header encoding and was previously observed being used by the Tonto Team, TA428 and Rancor threat actors, as can be seen below: ----- _RoyalRoad attribution matrix. Credit: nao_sec_ Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense related targets. For example, it was previously reported that Tonto Team is known to have attacked Russian organizations in the past using the [Bisonal malware.](https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html) When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents. The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently. Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor. We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete. ### Conclusion RoyalRoad has been one of the most used RTF weaponizers in the Chinese threat actors sphere in recent years. It is mostly observed in the initial compromise phase of targeted attacks where spear-phishing is used to lure victims into opening malicious documents which in turn exploit Microsoft Equation Editor vulnerabilities to drop different malware. In this report, we discussed the latest changes that were made to the RoyalRoad weaponizer that deviate from some of its well-documented and predictable indicators. It is perhaps an indication that the threat actors who are operating it are attempting to avoid “low hanging fruit” detections. In addition, we reported the discovery of the novel PortDoor backdoor, a previously undocumented and stealthy tool designed to grant the attackers access to their targets’ machines, collect information, and deploy additional payloads. At the time of writing this report, it is still unclear which threat actor is behind the new backdoor, however we have identified two potential suspects that fit the profile. Currently there is not enough information available to prove the stated hypothesis with a high level of certainty. **LOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN.** ### MITRE ATT&CK Matrix **Reconnaissance** **Initial Access** **Execution** **Persistence** **Privilege** **Escalation** **Defense Evasion** **Discovery** **Comma** **and** **Contro** Gather Victim Host Information Phishing: [Spearphishing](https://attack.mitre.org/techniques/T1566/001/) Attachment Command and Scripting [Interpreter:](https://attack.mitre.org/techniques/T1059/003/) Windows Command Shell Office Application Startup: Add-ins [Process Injection](https://attack.mitre.org/techniques/T1055/) Masquerading: Match [Legitimate Name or](https://attack.mitre.org/techniques/T1036/005/) Location Virtualization/Sandbox Evasion Encrypt Channe ----- Access Token [Manipulation: Token](https://attack.mitre.org/techniques/T1134/001/) Impersonation/Theft Virtualization/Sandbox Evasion File and Directory Discovery [Process Injection](https://attack.mitre.org/techniques/T1055/) System Information Discovery Applicat [Layer](https://attack.mitre.org/techniques/T1071/) Protoco Proxy: [Externa](https://attack.mitre.org/techniques/T1090/002/) Proxy Obfuscated Files or Information Access Token [Manipulation: Token](https://attack.mitre.org/techniques/T1134/001/) Impersonation/Theft Signed Binary Proxy Execution: Rundll32 System Time Discovery [Process Discovery](https://attack.mitre.org/techniques/T1057/) ### About the Researchers: **DANIEL FRANK** Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems. **ASSAF DAHAN** Assaf Dahan is the Senior Director and Head of Threat Research at Cybereason. He has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering. ## PortDoor | Indicators of Compromise **Indicator** **Type** **Comment** 48a312bfbcd1674501a633fbdcaa99a487e6260414a6e450a19982578b128a52 _SHA256_ _Phishing email_ 774a54300223b421854d2e90bcf75ae25df75ba9f3da1b9eb01138301cdd258f b60c9b59e03101277196bce597701eab5cfb0fd6b37442a5029673a11ffb9295 aec6271de4436ddf0067e67c389cbddb82f73d749e4713f5c8b375ad0ee7da9c _SHA256_ _Weaponized RTFs_ 2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c _SHA256_ _Backdoor_ 45.63.27[.]162 _IP_ _C2_ ----- About the Author **Cybereason Nocturnus** The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks. [All Posts by Cybereason Nocturnus](https://www.cybereason.com/blog/authors/cybereason-nocturnus) -----